CVE-2026-44941
HighCVSS 8.4Exploitation Probability (EPSS)
Low risk38th percentile — higher than 38% of all known CVEs
Summary
A relative path traversal vulnerability in the "keyhint" option during repomd.xml parsing in libzypp before version 17.38.12. Attackers able to supply a malicious repository can inject or overwrite files on the target system as root.
Risk Assessment
The risk involves potential remote code execution or privilege escalation by overwriting critical system files, which could lead to full system compromise.
Recommendation
Immediately update libzypp to version 17.38.12 or later and avoid using untrusted repositories.
Original NVD description (English source)
A relative path traversal in the "keyhint" option in repomd.xml parsing of libzypp before 17.38.12 can be used by attackers able to supply a malicious repository to inject or overwrite files in the target system as root.

